Create SCP exemptions

Hi I am trying to create a policy that restrict uploading objects without encryption, also want to create an exemption for certain buckets tagged with reserved tag exempted this doesn't seem to work, i think the reason probably is that tags at the bucket level are not checked when object resource is being added.

Is there an alternative to create SCP exemptions at bucket level?

    {
      "Sid": "DenyNoEncryption",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256",
          "aws:ResourceTag/exempted": "yes"
        }
      }
    }

トピック

ストレージ管理とガバナンスセキュリティ、アイデンティティ、コンプライアンス

タグ

Amazon Simple Storage Service (S3)AWS Organizations IAM ポリシー暗号化サービスコントロールポリシー

言語

English

rePost-User-2714351

質問済み 1年前481ビュー

1回答

新しい順
投票が多い順
コメントが多い順

これらの回答は役に立ちましたか？コミュニティがあなたの知識を活用できるように、正解に賛成票を投じてください。

Try this, let me know if this resolves your issue.

Curated SCPs and Config Rules

SCP: Restrict S3 uploads

Prevent uploads of unencrypted S3 objects.

{
            "Sid": "DenyUnencryptedS3Uploads",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"]
                },
                "Null": {
                    "s3:x-amz-server-side-encryption": "false"
                }
            }
        }
    ]
}

abemusa

回答済み 1年前

rePost-User-2714351
1年前
No this is not what i asked, i want to add an exemption when a bucket has a tag "exempted": "yes". When the tag is added to bucket i would like to NOT enforce this SCP
rePost-User-2714351
1年前
Yes the policy itself is working and preventing any non-encrypted uploads, but now i am trying to see if i can add an exemption

Create SCP exemptions

SCP: Restrict S3 uploads

関連するコンテンツ